Why Zero Trust Means Zero Passwords

Shimrit Tzur-David | June 16, 2021

The cybersecurity threat level has risen at such unprecedented rates during the COVID-19 pandemic that Risk Based Security declared 2020 “the worst year on record” even before it was over.

While every breach is different, infiltrated organizations tend to share weaknesses. These are often related to low awareness, using outdated software, and perhaps most commonly vulnerable access control methods, as the large majority of breaches involve the use of employee credentials. For hacked organizations, recognizing the need to implement a Zero Trust paradigm that could provide continuous and seamless control over users’ activity came too late. But for many others, the rush is on to adopt Zero-Trust principles such as  Passwordless Multi-Factor Authentication, Privileged Access Management tools, and risk-based Identity and Access Management platforms.

Moving Away From Traditional perimeter-based Security

Also known as the “castle-and-moat” approach, perimeter-based security hinges on the idea that everyone and everything inside the corporate network has been cleared for access and therefore can be trusted.  In other words, those inside the “castle” (the perimeter) have crossed the “moat” (most likely firewalls) to get there. And now that they are there, no one is going to verify their right to wander around as they please — even if they are about to break into the king’s chamber and steal his jewels. 

The flaw in this concept became apparent to John Kindervag, senior analyst at Forrester and creator of the Zero Trust concept in 2010. “Trust is always a vulnerability in a digital system,” he says in a recent interview with Security Roundtable

Trust is a vulnerability because while trusted users generate data packets that seem to be coming from them, it may not always be them. The traditional perimeter method doesn’t account for this. Under perimeter security, once bad actors pass through corporate firewalls, they can enter an organization’s internal systems and move between applications and data servers unhindered. 

A rogue insider doesn’t even need to beach the perimeter to access — or give someone else access — privileged accounts. The whistleblower Edward Snowden, for example, was a privileged user, which is why he was able to download and exfiltrate classified NSA documents. 

Today’s digital transformation makes taking a more robust approach to network security a critical priority for enterprises. With cloud use, distributed workforces, and consequently, greater numbers of network endpoints, the security perimeter is inherently overstretched.

Zero Trust and The Problem with Passwords

The aim of the Zero Trust model is to improve both security and user experience, and passwords hurt both. 

To start with, passwords are easy to steal and crack. The number of stolen or exposed login details has increased by 300% since 2018. Of course, it doesn’t help that many people use identical passwords across different applications and accounts — including more than one in two IT leaders

Compromised passwords are the number one attack vector right now. Worse, more than 7 in 10 breaches involve access to a privileged account. With that in mind, it makes sense that 86% of security decision-makers would ditch password authentication if they could. 

Passwords are also a major drain on human resources. Collectively, humans spend about 1,300 years entering passwords each day. And we waste even more time if we can’t remember our passwords. Over 60% of people have felt annoyed or stressed due to forgetting their passwords. Unsurprisingly, up to 40% of all helpdesk calls are for password resets. 

Combining passwords with MFA creates too many steps for the user. Overly complex login procedures ultimately backfire and significantly slow down the adoption of a Zero Trust model.

Going Passwordless 

The best way to improve security without sacrificing productivity is to go passwordless. A passwordless MFA solution enables user authentication typically through a push notification they receive on their device (i.e., something they have) and provide a biometric identifier (i.e., something they are). Thus enterprises can achieve an impregnable login procedure, which makes true Zero Trust possible. 

Passwordless authentication further boosts security as the risk of password sharing or reusing or falling prey to a phishing attempt is virtually non-existent. Additionally, it makes login times faster for users, without requiring them to keep track of all their passwords. Furthermore, going passwordless reduces maintenance costs, enabling IT teams to spend their time on loftier tasks than resetting passwords.